rpms/selinux-policy/devel policy-20070703.patch, 1.20, 1.21 selinux-policy.spec, 1.482, 1.483
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Jul 27 18:21:38 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4697
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Tue Jul 23 2007 Dan Walsh <dwalsh at redhat.com> 3.0.4-2
- Add context for dbus machine id
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- policy-20070703.patch 26 Jul 2007 17:54:24 -0000 1.20
+++ policy-20070703.patch 27 Jul 2007 18:21:35 -0000 1.21
@@ -143,6 +143,7 @@
.TP
chcon -t public_content_rw_t /var/ftp/incoming
.TP
+Binary files nsaserefpolicy/myaudit.pp and serefpolicy-3.0.4/myaudit.pp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.4/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-07-25 10:37:36.000000000 -0400
+++ serefpolicy-3.0.4/policy/flask/access_vectors 2007-07-25 13:27:51.000000000 -0400
@@ -1616,7 +1617,16 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.0.4/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/apps/loadkeys.te 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/apps/loadkeys.te 2007-07-27 11:58:52.000000000 -0400
+@@ -30,7 +30,7 @@
+ files_read_etc_runtime_files(loadkeys_t)
+
+ term_dontaudit_use_console(loadkeys_t)
+-term_dontaudit_use_unallocated_ttys(loadkeys_t)
++term_use_unallocated_ttys(loadkeys_t)
+
+ init_dontaudit_use_script_ptys(loadkeys_t)
+
@@ -40,3 +40,8 @@
locallogin_use_fds(loadkeys_t)
@@ -2926,7 +2936,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.4/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/apache.fc 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/apache.fc 2007-07-26 14:42:51.000000000 -0400
@@ -16,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -2935,8 +2945,11 @@
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -73,3 +72,11 @@
+@@ -71,5 +70,14 @@
+
+ /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
@@ -3248,7 +3261,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/apache.te 2007-07-26 10:06:52.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/apache.te 2007-07-26 13:46:18.000000000 -0400
@@ -30,6 +30,13 @@
## <desc>
@@ -3277,6 +3290,15 @@
gen_tunable(httpd_can_network_connect,false)
## <desc>
+@@ -97,7 +111,7 @@
+ ## Allow http daemon to communicate with the TTY
+ ## </p>
+ ## </desc>
+-gen_tunable(httpd_tty_comm,false)
++gen_tunable(httpd_tty_comm,true)
+
+ ## <desc>
+ ## <p>
@@ -106,6 +120,27 @@
## </desc>
gen_tunable(httpd_unified,false)
@@ -4632,9 +4654,21 @@
miscfiles_read_localization(cvs_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.0.4/policy/modules/services/dbus.fc
+--- nsaserefpolicy/policy/modules/services/dbus.fc 2007-05-29 14:10:57.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/dbus.fc 2007-07-26 15:13:25.000000000 -0400
+@@ -5,6 +5,8 @@
+ /bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+ /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+
++/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
++
+ ifdef(`distro_redhat',`
+ /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.4/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/dbus.if 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/dbus.if 2007-07-26 15:16:07.000000000 -0400
@@ -50,6 +50,12 @@
## </param>
#
@@ -4676,7 +4710,20 @@
auth_read_pam_console_data($1_dbusd_t)
libs_use_ld_so($1_dbusd_t)
-@@ -205,6 +225,7 @@
+@@ -193,6 +213,7 @@
+ gen_require(`
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t;
++ type system_dbusd_var_lib_t;
+ class dbus send_msg;
+ ')
+
+@@ -202,9 +223,12 @@
+ # SE-DBus specific permissions
+ allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
+
++ read_files_pattern($2,system_dbusd_var_lib_t,system_dbusd_var_lib_t)
++
# For connecting to the bus
files_search_pids($2)
stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
@@ -4684,7 +4731,7 @@
')
#######################################
-@@ -271,6 +292,32 @@
+@@ -271,6 +295,32 @@
allow $2 $1_dbusd_t:dbus send_msg;
')
@@ -4717,7 +4764,7 @@
########################################
## <summary>
## Read dbus configuration.
-@@ -286,6 +333,7 @@
+@@ -286,6 +336,7 @@
type dbusd_etc_t;
')
@@ -4725,7 +4772,7 @@
allow $1 dbusd_etc_t:file read_file_perms;
')
-@@ -346,3 +394,23 @@
+@@ -346,3 +397,23 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -4749,6 +4796,28 @@
+')
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.4/policy/modules/services/dbus.te
+--- nsaserefpolicy/policy/modules/services/dbus.te 2007-07-25 10:37:42.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/dbus.te 2007-07-26 15:12:13.000000000 -0400
+@@ -23,6 +23,9 @@
+ type system_dbusd_var_run_t;
+ files_pid_file(system_dbusd_var_run_t)
+
++type system_dbusd_var_lib_t;
++files_pid_file(system_dbusd_var_lib_t)
++
+ ##############################
+ #
+ # Local policy
+@@ -48,6 +51,8 @@
+ manage_files_pattern(system_dbusd_t,system_dbusd_tmp_t,system_dbusd_tmp_t)
+ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+
++read_files_pattern(system_dbusd_t,system_dbusd_var_lib_t,system_dbusd_var_lib_t)
++
+ manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
+ manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
+ files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.0.4/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/dhcp.te 2007-07-25 13:27:51.000000000 -0400
@@ -7663,7 +7732,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.4/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/authlogin.if 2007-07-26 10:17:19.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/authlogin.if 2007-07-27 13:58:33.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -7823,7 +7892,7 @@
files_list_var_lib($1)
miscfiles_read_certs($1)
-@@ -1381,3 +1437,166 @@
+@@ -1381,3 +1437,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -7899,10 +7968,7 @@
+ type updpwd_t, updpwd_exec_t;
+ ')
+
-+ domain_auto_trans($1,updpwd_exec_t,updpwd_t)
-+ allow updpwd_t $1:fd use;
-+ allow updpwd_t $1:fifo_file rw_file_perms;
-+ allow updpwd_t $1:process sigchld;
++ domtrans_pattern($1,updpwd_exec_t,updpwd_t)
+ auth_dontaudit_read_shadow($1)
+
+')
@@ -7992,7 +8058,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.4/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/authlogin.te 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/authlogin.te 2007-07-27 13:45:53.000000000 -0400
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -8007,7 +8073,18 @@
type chkpwd_exec_t;
application_executable_file(chkpwd_exec_t)
-@@ -159,6 +166,8 @@
+@@ -67,6 +74,10 @@
+ authlogin_common_auth_domain_template(system)
+ role system_r types system_chkpwd_t;
+
++# Read only version of updpwd
++domain_entry_file(system_chkpwd_t,updpwd_exec_t)
++
++
+ ########################################
+ #
+ # PAM local policy
+@@ -159,6 +170,8 @@
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
@@ -8016,7 +8093,7 @@
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
-@@ -236,7 +245,7 @@
+@@ -236,7 +249,7 @@
optional_policy(`
xserver_read_xdm_pid(pam_console_t)
@@ -8025,7 +8102,7 @@
')
########################################
-@@ -302,3 +311,30 @@
+@@ -302,3 +315,30 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -8093,7 +8170,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.4/policy/modules/system/brctl.te
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.4/policy/modules/system/brctl.te 2007-07-25 16:13:13.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/brctl.te 2007-07-27 13:35:00.000000000 -0400
@@ -0,0 +1,50 @@
+policy_module(brctl,1.0.0)
+
@@ -8117,7 +8194,7 @@
+allow brctl_t self:tcp_socket create_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+
-+dev_list_sysfs(brctl_t)
++dev_read_sysfs(brctl_t)
+
+# Init script handling
+domain_use_interactive_fds(brctl_t)
@@ -8353,7 +8430,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.4/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/init.if 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/init.if 2007-07-26 13:45:02.000000000 -0400
@@ -194,9 +194,13 @@
gen_require(`
type initrc_t;
@@ -8982,7 +9059,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.4/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/logging.te 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/logging.te 2007-07-26 14:57:10.000000000 -0400
@@ -7,10 +7,15 @@
#
@@ -9015,7 +9092,7 @@
type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t)
-@@ -59,19 +70,23 @@
+@@ -59,19 +70,25 @@
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
')
@@ -9027,12 +9104,14 @@
+
########################################
#
- # Auditd local policy
+-# Auditd local policy
++# Auditctl local policy
#
-allow auditctl_t self:capability { audit_write audit_control };
-allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
--
++allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
@@ -9042,7 +9121,7 @@
files_read_etc_files(auditctl_t)
kernel_read_kernel_sysctls(auditctl_t)
-@@ -91,6 +106,7 @@
+@@ -91,6 +108,7 @@
locallogin_dontaudit_use_fds(auditctl_t)
@@ -9050,7 +9129,7 @@
logging_send_syslog_msg(auditctl_t)
########################################
-@@ -98,12 +114,11 @@
+@@ -98,12 +116,11 @@
# Auditd local policy
#
@@ -9064,7 +9143,7 @@
allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
-@@ -141,6 +156,7 @@
+@@ -141,6 +158,7 @@
init_telinit(auditd_t)
@@ -9072,7 +9151,7 @@
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
-@@ -157,6 +173,8 @@
+@@ -157,6 +175,8 @@
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
@@ -9081,7 +9160,7 @@
optional_policy(`
seutil_sigchld_newrole(auditd_t)
-@@ -243,12 +261,18 @@
+@@ -243,12 +263,18 @@
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -9100,7 +9179,7 @@
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -257,6 +281,9 @@
+@@ -257,6 +283,9 @@
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
@@ -9110,7 +9189,7 @@
allow syslogd_t syslogd_var_run_t:file manage_file_perms;
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
-@@ -314,6 +341,7 @@
+@@ -314,6 +343,7 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -9344,7 +9423,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.4/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/mount.te 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/mount.te 2007-07-26 13:15:01.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
@@ -9428,7 +9507,7 @@
')
optional_policy(`
-@@ -201,4 +219,53 @@
+@@ -201,4 +219,54 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -9450,6 +9529,7 @@
+corecmd_exec_shell(mount_ntfs_t)
+
+files_read_etc_files(mount_ntfs_t)
++files_search_all(mount_ntfs_t)
+
+libs_use_ld_so(mount_ntfs_t)
+libs_use_shared_libs(mount_ntfs_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.482
retrieving revision 1.483
diff -u -r1.482 -r1.483
--- selinux-policy.spec 26 Jul 2007 17:54:24 -0000 1.482
+++ selinux-policy.spec 27 Jul 2007 18:21:35 -0000 1.483
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.4
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -359,6 +359,9 @@
%endif
%changelog
+* Tue Jul 23 2007 Dan Walsh <dwalsh at redhat.com> 3.0.4-2
+- Add context for dbus machine id
+
* Tue Jul 23 2007 Dan Walsh <dwalsh at redhat.com> 3.0.4-1
- Update with latest changes from upstream
More information about the fedora-extras-commits
mailing list